Base Station Security Experiments Using USRP
MetadataVis full innførsel
With a coverage of over 90% of the world's population, the cellular technology standard, GSM, is used by millions all over the world every day. The standard is known to have several security weaknesses. One of the weaknesses is that there is no authentication of the network. IMSI-catchers exploit this weakness to perform various attacks. The largest Norwegian newspaper, Aftenposten, searched for IMSI-catchers in Oslo in December 2014. The newspaper used two different methods in the search. The conclusion of Aftenposten was that they ''most likely'' found several IMSI-catchers in Oslo. In this thesis, IMSI-catchers are studied. An IMSI-catcher is built and configured with an USRP and OpenBTS. Two attacks were performed in an experiment with the IMSI-catcher. The first attack presented is a DoS attack aimed at subscribers of specific operators. The other attack presented is a selective jamming attack, aimed at a specific subscriber. In both the attacks, IMSIs were caught. Both types of attacks were successful. It was found that the effectiveness of the IMSI-catcher depends on the signal strength from the nearby base stations. The experiments indicate that for the proposed IMSI-catcher to be effective, it should be operating and be in the vicinity of the targeted cellphones for several minutes. Additionally, the investigations made by Aftenposten are analyzed and discussed in this thesis. A technical analysis is performed on all the data Aftenposten acquired in Oslo in December 2014 and the major anomalies found by Aftenposten are discussed in details. From the analysis, it was found that it is possible that Aftenposten observed at least one IMSI-catcher during the investigations. The first articles published by Aftenposten in December 2014 were likely based on misinterpretations of the data the newspaper acquired. It was also discovered a possible bug in the measuring equipment used by Aftenposten. Some of the anomalies discovered by Aftenposten might have been due to misconfigurations of the networks in Oslo.